🚨 Security release! 🚨

Routinator 0.15.2 ‘Irgendwas ist immer’ is now available, This release fixes a number of vulnerabilities and security issues identified by a security audit performed by @x41sec which was kindly funded by @sovtechfund.

We advise all users to upgrade at their earliest convenience.

https://community.nlnetlabs.nl/t/routinator-0-15-2-irgendwas-ist-immer-released/3400

#RPKI #CVE #Security #BGP #Routing

Weekend Reads

* Centrality in the DNS
https://www.potaroo.net/ispcol/2026-05/dns-centrality.html
* RPKI RP fuzzing analysis
https://arxiv.org/abs/2605.26651
* Iran Internet partial restoration
https://blog.cloudflare.com/iran-internet-partially-restored-may-2026/
* Enterprise security for the AI era
https://arxiv.org/abs/2605.22985
* Characterizing Starlink queuing configuration
https://arxiv.org/abs/2605.27717

#DNS #RPKI #Iran #AI #Starlink

La cybersécuritay, c'est compliquay. Comment la Corée du Nord a coupé sa liaison Internet en voulant la sécuriser. https://labs.ripe.net/author/romain_fontugne/from-bgp-data-to-insight-simplifying-real-time-routing-analysis/

#BGP #RPKI

🚨 More new routing insights on Radar!

- Track #RPKI ROA deployment history at a global/country/ASN level, going back 3+ years for valid prefixes & address space

https://radar.cloudflare.com/routing/rpki#rpki-roa-deployment

- Country level announced IP address space graphs now include a "Show top ASes" toggle. Stacked area graphs make it easier to identify the providers behind large address space withdrawals.

Example: https://radar.cloudflare.com/routing/ir?dateStart=2026-01-04&dateEnd=2026-01-10#announced-ip-address-space

Weekend Reads

* How crazy is .internal/DOT
https://ant.isi.edu/~hardaker/papers/2026-04-27-analyzing-dot-internal-to-dot.pdf
* RIPE NCC RPKI exploit chain
https://mxsasha.eu/posts/ripe-ncc-rpki-exploit-chain/
* Bellovin book: Don't get hacked
https://www.cs.columbia.edu/~smb/homesec/index.html
* Internet Protocol Journal May 2026
https://ipj.dreamhosters.com/wp-content/uploads/2026/04/291-ipj.pdf
* Cloudflare 2026-Q1 Internet disruptions report
https://blog.cloudflare.com/q1-2026-internet-disruption-summary/

#DNS #RPKI #RIPE #Infosec #Outages

As the RPKI ecosystem continues to evolve to provide the data for securing BGP Internet routing, the foundations are being laid for the long term need for forensic analysis tools and the long term study of that ecosystem.

For BGP, we've long had the MRT files gathered by various looking glass projects such as route-views. That data today is part of long term trend analysis for BGP and a tool for triaging global routing problems.

The rpki-views work and related IETF drafts for it, largely driven by Job Snijders, is providing a way to capture the state of the RPKI. As Internet routing analysis eventually becomes more dependent on the state of the RPKI at a given moment, such state becomes a critical component of any ex post facto analysis of BGP routing security from BGP routing data.

While the attached article is effectively discussing an "oops" while building out this ecosystem, it provides a good set of links to spelunk for the above topics.

#bgp #rpki #rpkiclient #ietf

https://blog.qrator.net/en/repairing-the-rpkiviews-h1-2026-archives_227/

rpki-client 9.8 released

Routing security matters to all of us (even those of us who seldom give the subject any thought), and the rpki-client project announced the release of a new version of their Resource Public Key Infrastructure (RPKI) client, with a number of improvements.

The announcement reads

• List: openbsd-announce
• Subject: rpki-client 9.8 released
• From: Sebastian Benoit

• Date: 2026-04-14 23:20:42

  rpki-client 9.8 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon.
  It is recommended
  that all users upgrade to this version for improved reliability.

  rpki-client is a FREE, easy-to-use implementation of the Resource
  Public Key Infrastructure (RPKI) for Relying Parties to facilitate
  validation of BGP announcements. The program queries the global RPKI
  repository system and validates untrusted network inputs. The program
  outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads
  in configuration formats suitable for OpenBGPD and BIRD, and supports
  emitting CSV and JSON for consumption by other routing stacks.

  See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
  Origin Validation help secure the global Internet routing system.

  rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker,
  Job Snijders, Theo Buehler, Theo de Raadt, and Sebastian Benoit as part
  of the OpenBSD Project.

  This release includes the following changes to the previous release:

  • Various refactoring for improved compatibility with various libcryptoimplementations and in CA/BGPsec certificate handling.
  • Fixed an accounting issue in HTTP gzip compression detection.
  • Added a warning in extra verbose mode (-vv) about standardsnon-compliant Issuer and Subject ASN.1 string encodings.
  • Added a check for canonical encoding of ASPA eContent in alignmentwith draft-ietf-sidrops-aspa-profile-22.
  • Ensure that a repository timeout correctly stops repositoryprocessing. Thanks to Fedor Vompe from Deutsche Telekom for reporting.
  • Fixed a defect in Canonical Cache Representation ROAIPAddressFamilysort order. As a result, rpki-client 9.8 cannot parse rpki-client9.7's .ccr files and vice versa. Thanks to Bart Bakker from RIPE NCCfor reporting.
  • Fixed an issue in the parser for the locally configured constraints.Thanks to Daniel Anderson.
  • A malicious RRDP Publication Server can cause a NULL dereference.Thanks to Daniel Anderson for reporting.
  • A malicious RPKI Publication Server can cause an incorrect error exit.Thanks to Yuheng Zhang, Qi Wang, Jianjun Chen from Tsinghua University,and Teatime Lab for reporting.

Go read ALL about it here!

https://undeadly.org/cgi?action=article;sid=20260415115612

#rpki #client #resource #public #key #infrastructure #openBSD #OpenSource #programming #networking